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EXAMINER'S AMENDMENT 

1 . An examiner's amendment to the record appears below. Should the changes 
and/or additions be unacceptable to applicant, an amendment may be filed as provided 
by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be 
submitted no later than the payment of the issue fee. 

Authorization for this examiner's amendment was given in a telephone interview 
with Attorney Shelley M. Beckstrand on June 12, 2006. 

In the claims: 

Please canceled claims 5, 11, and 13-15. 
Please replace claims 1, 4, 6, 8, 12, and 16-21. 

Claim 1 . [Currently amended] A method of operating a virtual private network 
(VPN) based on [[IP sec]] IPsec that integrates network address translation (NAT) with 
[[IP sec]] IPsec processing, comprising the steps executed at one end of a VPN 
connection of: 

configuring a VPN NAT IP address pool on a VPN gateway machine at said one 
end of a VPN connection employing only IP address data available at said VPN 
gateway machine; 

configuring at said one end of said VPN connection a VPN connection to utilize 
said VPN NAT IP address pool; 
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obtaining at said one end of said VPN connection a specific IP address from said 
VPN NAT IP address pool, and allocating said specific IP address for said VPN 
connection; 

starting said VPN connection; 

loading to an operating system kernel at said one end of said VPN connection 
the security associations and connection filters for said VPN connection; 
processing at said one end of said VPN connection a IP datagram for said VPN 
connection; 

applying VPN NAT at one end of said VPN connection to said IP datagram with 
source and destination port values after the application of VPN NAT being the 
same as before application of VPN NATrf.11 : and 

further for integrating NAT with fNP secll IPsec for dvnamicallv-keved f f(e.g.lKE)11 
internet key exchange protocol (IKE) M P secll IPsec connections, comprising the 
further step of: 

configuring the VPN connections to obtain their keys automatically. 

Claim 4 [Currently Amended] The method of claim 1 , further for integration of NAT 
with IP Sec for manually-keyed [[IP sec]] IPsec connections, comprising the 
further step of manually configuring connection keys. 



Application/Control Number: 09/578,21 5 Page 4 

Art Unit: 2135 

Claim 5. [Canceled] Th e m e thod of claim 1 , furth e r for int e grating NAT with [[ I P 
s e cll I Ps e c for dyn a m i ca ll y - k e y e d ( e .g. I KE) [[ I P s e c]] I Ps e c conn e ct i ons, 
compr i s i ng th e furth e r st e p of: 

configuring th e VPN conn e ct i ons to obtain th ei r k e ys automat i ca ll y. 



Claim 6. [Currently Amended] The method of claim 1 , further for integrating NAT 
with [[IP sec]] IPsec Security Associations, negotiated dynamically by [[(e.g. IKE)]] 
internet key exchange protocol (IKE) , wherein said starting step further 
comprises creating a message for IKE containing said IP address from said NAT 
pool; and further comprising the step of operating IKE to obtain dynamically 
negotiated keys. 

Claim 8. [Currently amended] A computer implemented method for allowing the 
definition and configuration of NAT directly with definition and configuration of 
IPsec -based VPN connections and VPN policy, comprising the steps executed 
by a digital processor at one end of a VPN connection of: 
configuring at one end of said VPN connection the requirement for VPN NAT by 
a yes/no decision in a policy database for each of the three types of VPN NAT, 
said three types being VPN NAT type a outbound source IP NAT, VPN NAT type 
c inbound source IP NAT, and VPN NAT type d inbound destination IP NAT; 
[[and]] 
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configuring at said one end of said VPN connection on a VPN gateway machine 
at said one end of a VPN connection employing only IP address data available at 
said VPN gateway machine a remote IP address pool or a server IP address pool 
selectively responsive to said yes/no decision for each said VPN NAT type; and 
upon subsequent start of said VPN connection, processing inbound and 
outbound packets at said one end of said VPN connection responsive to 
configuration of said VPN NAT in said policy database and configuration of said 
remote IP address poolff.]] ; and 

further for integrating NAT with f[IP secll IPsec for dynamically-keyed 
[[(e.g.lKEVll , internet key exchange protocol (IKE), [[IP secll IPsec connections, 
comprising the further step of: 

configuring the VPN connections to obtain their keys automatically. . 

Claim 11. [Currently amended] A comput e r imp le m e nt e d m e thod of prov i d i ng 

custom e r track i ng of VPN NAT act i v i t ie s as th e y occur i n an op e rat i ng syst e m 
k e rn e l, compr i s i ng th e st e ps e x e cut e d at on e e nd of a VPN conn e ction of: 
r e spons i v e to VPN conn e ct i on conf i gurat i on, g e n e rat i ng journa l r e cords as a l og 
e ntry i n a fi le syst e m of an op e rat i ng syst e m at sa i d on e e nd of s a id VPN 
conn e ct i on; 

updat i ng at sa i d on e e nd of sa i d VPN conn e ction sa i d journa l r e cords w i th n e w 
r e cords for e ach datagram proc e ss e d through a VPN conn e ct i on; and 
e nab l ing a custom e r to manag e sa i d journa l r e cords. 
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Claim 12. [Currently amended] A computer implemented method of allowing a VPN 
NAT address pool to be associated with a gateway, thereby allowing server load- 
balancing, comprising the steps executed by a digital processor at one end of a 
VPN connection of: 

configuring at said one end of said VPN connection a server VPN NAT IP 
address pool for a system being configured; 

storing at said one end of said VPN connection specific IP addresses that are 
globally routable in said server VPN NAT IP address pool; 
configuring at said one end of said VPN connection a VPN connection to utilize 
said server VPN NAT IP address pool; and 

managing at said one end of said VPN connection total volume of concurrent 
VPN connections responsive to the number of addresses in said server VPN 
NAT IP address pool with source and destination port values before and after 
application of VPN NAT being the samefr.11 : and 
further for integrating NAT with [[IP secll IPsec for dynamically-keyed 
[f(e.g.lKE)1 l internet key exchange protocol (IKE), [[IP sec]] IPsec connections, 
comprising the further step of: 

configuring the VPN connections to obtain their keys automatically . 
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Claim 13. [Canceled] A m e thod of contro lli ng th e tota l numb e r of VPN conn e ct i ons 
for a syst e m bas e d on ava il ab ili ty of VPN NAT addr e ss e s, compr i s i ng th e st e ps 
e x e cut e d at on e e nd of a VPN conn e ct i on of: 

configur i ng on a VPN gat e way mach i n e at sa i d on e e nd of sa i d VPN conn e ct i on 
e mp l oy i ng on l y I P a ddr e ss data ava il ab le at sa i d VPN gat e way machin e -toe 
tota li ty of r e mot e I P addr e ss poo l s w i th a common s e t of I P addr e ss e s, sa i d 
addr e ss e s b e ing configur e d as a rang e , as a l ist of s i ng le addr e ss e s, or any 
comb i nation of mu l t i p le rang e s and sing le addr e ss e s; and 
li m i t i ng at sa i d on e e nd of said VPN conn e ction th e succ e ssfu l start of 
concurr e ntly act i v e VPN conn e ct i ons r e spons i v e to th e numb e r of sa i d I P 
addr e ss e s configur e d across th e tota l ity of said r e mot e addr e ss pools. 



Claim 14. [Canceled] A m e thod of p e rform i ng v i rtua l pr i vat e n e twork (VPN) n e twork 
addr e ss trans l at i on on s ele ct e d I CMP datagrams, compr i s i ng th e st e ps e x e cut e d 
at on e e nd of a VPN conn e ction of: 

comb i ning at said on e e nd of said VPN conn e ct i on [[ I P s e cll I Ps e c ur i ty & VPN 
NAT by d e t e ct i ng s ele ct e d typ e s of I CMP typ e pack e ts; and 
r e spons i v e to said s e l e ct e d typ e s, p e rforming at said on e e nd of sa i d VPN 
conn e ction n e twork addr e ss trans l at i on funct i ons on th e e nt i r e datagram 
i nc l ud i ng I CMP d a ta. 
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Claim 15. [Canceled] A mothod of p e rform i ng virtua l pr i vat e n e twork (VPN) network 
addross trans l ation on s e l e ct e d FTP datagrams, compris i ng th e st e ps e x e cut e d 
at ono ond of a VPN conn e ct i on of: 

comb i n i ng at sa i d on e e nd of said VPN conn e ct i on [[ I P s e cll I Ps e c ur i tv & NAT by 
d e t e ct i ng th e occurr e nc e of FTP PORT or PASV FTP commands; and 
r e sponsiv e to said command, p e rform i ng at sa i d on e e nd of sa i d VPN conn e ct i on 
n e twork addr e ss translation on tho FTP data and the h e ad e r. 

Claim 16. [Currently amended] A computer system for operating a virtual private 
network (VPN) based on [[IP sec]] IPsec that integrates network address 
translation (NAT) with [[IP sec]] IPsec processing executed by a digital processor 
at one end of a VPN connection, comprising: 

means for configuring on a VPN gateway machine at said one end of a VPN 
connection a VPN NAT IP address pool employing only IP address data available 
at said VPN gateway machine; 

means for configuring at said one end of said VPN connection a VPN connection 
to utilize said VPN NAT IP address pool; 

means for obtaining at said one end of said VPN connection a specific IP 
address from said VPN NAT IP address pool, and allocating said specific IP 
address for said VPN connection; 

means for starting said VPN connection at said one end of said VPN connection; 
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means for loading at said one end of said VPN connection to an operating 
system kernel the security associations and connection filters for said VPN 
connection; 

means for processing at said one end of said VPN connection a IP datagram for 
said VPN connection; [[and]] 

means for applying at said one end of said VPN connection VPN NAT to said IP 
datagram with source and destination port values after application of VPN NAT 
being the same as before application of VPN NATff.11 ; and 
further for integrating NAT with fflP secll IPsec for dynamically-keyed 
[f(e.g.lKE)11 , internet key exchange protocol (IKE), fflP secll IPsec connections, 
comprising the further step of: 

configuring the VPN connections to obtain their keys automatically 

Claim 17. [Currently amended] A system for definition and configuration of NAT 
directly with definition and configuration of VPN connections and VPN policy 
executed by a digital processor at one end of a VPN connection, comprising: 
Computer readable-medium embodying a policy database for configuring at said 
one end of said VPN connection the requirement for VPN NAT by a yes/no 
decision for each of the three types of VPN NAT, said three types being VPN 
NAT type a outbound source IP NAT, VPN NAT type c inbound source IP NAT, 
and VPN NAT type d inbound destination IP NAT; and 
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a remote IP address pool or a server IP address pool at said one end of said 
VPN connection selectively configured on a VPN gateway machine at said one 
end of a VPN connection responsive to said yes/no decision for each said VPN 
NAT type employing only IP address data available at said VPN gateway 
machine [[.]; 

upon subsequent start of said VPN connection, processing inbound and 
outbound packets at said one end of said VPN connection responsive to 
configuration of said VPN NAT in said policy database and configuration of said 
remote IP address pool: and 

further for integrating NAT with [flP sec]] IPsec for dynamically-keyed 
f[(e.o.lKE)11 . internet key exchange protocol (IKE), [[IP secll IPsec connections, 
comprising the further step of: 

configuring the VPN connections to obtain their keys automatically 

Claim 18. [Currently amended] A system implemented at one end of a VPN 
connection for allowing a VPN NAT address pool to be associated with a 
gateway, thereby allowing server load-balancing, comprising: 
a server VPN NAT IP address pool on a VPN gateway machine at said one end 
of a VPN connection configured for a given system being configured for 
containing multiple addr o ss addresses configured as a range, as a list of single 
addresses, or any combination of multiple ranges and single addresses 
employing only IP address data available at said VPN gateway machine; 
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said server VPN NAT IP address pool storing specific IP addresses that are 
globally routable; 

a VPN connection at said one end of said VPN connection configured to utilize 
said server VPN NAT IP address pool; and 

a connection controller for managing at said one end of said VPN connection 
total volume of concurrent VPN connections responsive to the number of 
addresses in said server VPN NAT IP address pool with source and destination 
port values after application of VPN NAT being the same as before application of 
VPN NATff.11 : and 

further for integrating NAT with fflP secll IPsec for dynamically-keyed 
ff(e.g.lKE)11 , internet key exchange protocol (IKE), fflP secll IPsec connections, 
comprising the further step of: 

configuring the VPN connections to obtain their keys automatically . 

Claim 19. [Currently amended] A program storage device readable by a machine, 
tangibly embodying a program of instructions executable by a machine to 
perform method steps executed at one end of a VPN connection for operating a 
virtual private network (VPN) based on [[IP sec]] IPsec that integrates network 
address translation (NAT) with [[IP sec]] IPsec processing, said method steps 
comprising: 



Application/Control Number: 09/578,215 Page 12 

Art Unit: 2135 

configuring on a VPN gateway machine at said one end of a VPN connection a 
NAT IP address pool employing only IP address data available at said VPN 
gateway machine; 

configuring at said one end of said VPN connection a VPN connection to utilize 
said VPN NAT IP address pool; 

obtaining a specific IP address from said VPN NAT IP address pool, and 
allocating at said one end of said VPN connection said specific IP address for 
said VPN connection; 

starting said VPN connection at said one end of said VPN connection; 
loading to an operating system kernel at said one end of said VPN connection 
the security associations and connection filters for said VPN connection; 
processing at said one end of said VPN connection a IP datagram for said VPN 
connection; and 

applying at said one end of said VPN connection VPN NAT to said IP datagram 

with source and destination port values after application of VPN NAT being the 

same as before application of VPN NAT[[.]]; and 

further for integrating NAT with [[IP sec]] IPsec for dynamically-keyed 

[[(e.g. IKE)]], internet key exchange protocol (IKE), [[IP sec]] IPsec connections, 

comprising the further step of: 

configuring the VPN connections to obtain their keys automatically. 



Claim 20. 



[Currently amended] An article of manufacture comprising: 
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a computer useable medium having computer readable program code means 
embodied therein for operating a virtual private network (VPN) based on [[IP 
sec]] IPsec that integrates network address translation (NAT) with [[IP sec]] IPsec 
processing executed at one end of a VPN connection, the computer readable 
program means in said article of manufacture comprising: 
computer readable program code means for causing a computer to effect 
configuring a VPN NAT IP address pool on a VPN gateway machine at said one 
end of a VPN connection employing only IP address data available at said VPN 
gateway machine; 

computer readable program code means for causing a computer to effect 
configuring at said one end of said VPN connection a VPN connection to utilize 
said VPN NAT IP address pool; 

computer readable program code means for causing a computer to effect 
obtaining at said one end of said VPN connection a specific IP address from said 
VPN NAT IP address pool, and allocating said specific IP address for said VPN 
connection; 

computer readable program code means for causing a computer to effect starting 
at said one end of said VPN connection said VPN connection; 
computer readable program code means for causing a computer to effect loading 
at said one end of said VPN connection to an operating system kernel the 
security associations and connection filters for said VPN connection; 
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computer readable program code means for causing a computer to effect 
processing at said one end of said VPN connection a IP datagram for said VPN 
connection; and 

computer readable program code means for causing a computer to effect 
applying at said one end of said VPN connection VPN NAT to said IP datagram 
with source and destination port values after the application of VPN NAT being 
the same as before application of VPN NATff.11 : and 
further for integrating NAT with fflP secll IPsec for dynamically-keyed 
ff(e.g.lKE)11 , internet key exchange protocol (IKE), fflP secll IPsec connections, 
comprising the further step of: 

configuring the VPN connections to obtain their keys automatically . 

Claim 21 . [Currently amended] A computer implemented method for providing IP 
security in a virtual private network using network address translation (NAT), 
comprising the steps executed by a digital processor at one end of a VPN 
connection of: 

dynamically generating at said one end of said VPN connection NAT rules and 
associating them selectively with manual and dynamically generated [[(e.g. IKE)]], 
internet key exchange protocol (IKE), Security Associations , comprising the 
further step of: 

configuring the VPN connections to obtain their keys automatically : thereafter 
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beginning at said one end of said VPN connection IP security that uses the 
Security Associations; and then 

as [[IP sec]] IP security is performed on outbound and inbound datagrams, 
selectively performing at said one end of said VPN connection one or more of 
VPN NAT type a outbound source IP NAT, VPN NAT type c inbound source IP 
NAT, and VPN NAT type d inbound destination IP NAT on said outbound and 
inbound dataqrams ff.il , so as to provided said IPsec for communication 
conducted in said VPN. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Linh LD Son whose telephone number is 571-272-3856. 
The examiner can normally be reached on 9-6 (M-F). 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on 571-272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

Linh LD Son , 



Examiner 
Art Unit 2135 
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